Is there a way to grant other FatFractal users Cloud deployment privileges on one of my domains? The domain/application are registered under my FatFractal account, and my partner is receiving 400 Errors (permission denied) from his FF local runtime engine when attempting to deploy an updated version of the app.
Also, is it possible to limit the scope of deployment privileges to a specific domain/application combo as opposed to the entire domain?
If you go to the FatFractal Console and then click on "Invitations" in the menu, you can give other users read-only or read/write privileges to domains and applications.
Related
How to give access to my team mate on IBM Cloud account on the resources, Domain Registration Service and Internet Services resource?
The admin wants add privileges. But when he looks the list, can not find the Domain Registration and internet services. The users are already in the IBM Cloud account.
There are a couple of ways to accomplish that with IBM Cloud IAM (Identity and Access Management), including granting the permissions directly to the users in questions or creating an access group with the privileges first and adding the users to that group (best practice).
DNS Services has the listed roles including Administrator
Cloud Internet Services has a Manager service role
So your admin would
create an access group
add the privileges for DNS Services and CIS to it as policies
would need to make sure that privileges on the resource group to see the service instances are added
add the users to the access group.
Thereafter, you should have access.
I want to know if it's possible to create an Active Directory user account that confers no access or privileges to that user.. simply to authenticate a set of credentials..
As we are hybridised AD/Azure organisation, I want this 'account' to replicate to Azure through the connector.
The reason for this is that:
We manage all our users through AD so I don't want some accounts managed only in Azure.. it would be very confusing. Centralised managemnent and support is good!
The account would ONLY be used for authenticating users into Zoom via SAML2, or any another cloud service for that matter that can use Azure as an authentication service.
No capacity to access anything within our firewall.
Your ideas would be greatly appreciated.
Gus
It depends how you define "access". By default, the Authenticated Users group is able to read everything in AD, but not write. If you're ok with that, then you're done. Just create a user and don't add any access to it.
If you don't want it to read anything on the domain, then you'll have trouble. The Authenticated Users group is described as:
A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
Since there is no way to not have a user be part of Authenticated Users, then you would have to modify the permissions on your domain to exclude Authenticated Users. But that may cause other issues for other users.
As far as I know, the most basic permissions that any user is created can also view other users or groups in AAD. If you want to turn off this basic permission, just set Restrict access to Azure AD administration portal to Yes, then the user will not have any access rights.
Go to azure portal->click Azure Active Direcotory->User settings
I'm writing a web application and I want to get all users using Azure Graph API. Which permissions are required. Does admin have to consent?
At the very least, your application would need Read Directory Data permission that you will setup in Azure Portal when configuring your application.
Does admin have to consent?
Yes, the admin would have to consent.
We use Jenkins with LDAP authentication. My question: is it possible to implement this rights scenario?
if not logged-in (anonymous) ==> read all
if logged in (via LDAP) but not a "special" user ==> full access to specified jobs only
if logged in (via LDAP) and also a "special" user ==> full admin access
My goal is to avoid having to manage large numbers of users explicitly.
There's a plugin "Role Strategy Plugin" that supports permissions for specified jobs, but it doesn't distinguish between anonymous and logged-in (via LDAP) users. It seems that the only way to grant access to specified jobs is to grant it user by user...which I want to avoid.
Can you use Active Directory? If so:
you can use groups for authentication, and therefore assign rights to the entire group.
you can use a project-based matrix, so specified jobs will only be visible to specific groups
If you cannot (only LDAP):
I think you can still do the above, but I think your LDAP configuration will require more work for groups. I am not sure of group support in the Jenkins LDAP API.
Context
A company that uses Active Directory for a long time. Previously, admins added Domain Users Group to many resources with read access. It is not realistic to change all this.
A service, in this case a GitHub:Enterprise instance, that uses LDAP for authentication was introduced for a cooperation project with another company.
Problem
Creating AD accounts for the external users gives them access to many resources which they should not have access to. If we don't create AD accounts for them, they cannot access the new service.
Is there a way to create a kind of 'decorated' proxy for AD that has some local users (the external guys) and refers to the original AD db for other users (the employees)?
What other ways are there that could solve the access permission problem?
It is possible to set up an additional VM with either Windows or Linux to solve the problem; however, it would be preferable if that was not required.
Typically this would be done with SAML federation.
Or you could use your openLDAP and add all the users into it as this would not allow permissions for AD.